CVE-2021-41259

Nim is a systems programming language with a focus on efficiency, expressiveness, and elegance. In affected versions the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example: parseUri("http://localhost\0hello").hostname is set to "localhost\0hello". Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte. Example: getContent("http://localhost\0hello") makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a SSRF attack.

CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

17 Nov 2021, 15:45

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~8.6~~	v2 : 7.5 v3 : 9.8
References	~~(CONFIRM) https://github.com/nim-lang/security/security/advisories/GHSA-3gg2-rw3q-qwgc -~~	(CONFIRM) https://github.com/nim-lang/security/security/advisories/GHSA-3gg2-rw3q-qwgc - Exploit, Third Party Advisory
CPE		cpe:2.3:a:nim-lang:nim:1.4.6:::::::* cpe:2.3:a:nim-lang:nim:1.4.4:::::::* cpe:2.3:a:nim-lang:nim:1.4.8:::::::* cpe:2.3:a:nim-lang:nim:1.2.12:::::::* cpe:2.3:a:nim-lang:nim:1.6.0:::::::*

12 Nov 2021, 22:10

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-11-12 18:15

Updated : 2024-02-04 22:08

NVD link : CVE-2021-41259

Mitre link : CVE-2021-41259

CVE.ORG link : CVE-2021-41259

JSON object : View

Products Affected

No product.

CWE

No CWE.

JSON object

Attach tags to CVE-2021-41259

Attach tags to `CVE-2021-41259`